Security Advisory

Zend_Feed_Rss and Zend_Feed_Atom were found to
contain potential XML eXternal Entity (XXE) vectors due to insecure usage of
PHP's DOM extension. External entities could be specified by adding a specific
DOCTYPE element to feeds; exploiting this vulnerability could
coerce opening arbitrary files and/or TCP connections.

A similar issue was fixed for 1.11.13 and 1.12.0, in the
Zend_Feed::import() factory method; however, the reporter of
the issue discovered that the individual classes contained similar
functionality in their constructors which remained vulnerable.

Action Taken

A patch was applied that removes the XXE vector by calling
libxml_disable_entity_loader() before attempting to parse the feed via
DOMDocument::loadXML().

Recommendations

If you are using any of the components listed, and, in particular, were
directly instantiating them, we recommend upgrading to either version
1.11.15 or 1.12.1 or greater.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and
working with us to help protect its users:

Yury Dyachenko at Positive Research Center

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend
Framework, please report it to us at zf-security@zend.com. We will
work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

Component(s) affected

A description indicating how to reproduce the issue

A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the
project contributors a chance to resolve the vulnerability and issue a new
release prior to any public exposure; this helps protect Zend Framework
users and provides them with a chance to upgrade and/or update in order to
protect their applications.

Policy

We will patch the current release branch, as well as the immediate prior
minor release branch.

After patching the release branches, we will immediately issue new
security fix releases for each patched release branch.

A security advisory will be released on the Zend Framework site
detailing the vulnerability, as well as recommendations for end-users to
protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as
via a feed (which is also present in the
website head for easy feed discovery)